Critical Microprocessor Flaws Affect Nearly Every Machine

After a day of speculation over a reported design flaw in Intel processors, security researchers came clean late today with full disclosure of a new and widespread class of attack that affects most computers worldwide.

Researchers from Google's Project Zero Team, Cyberus Technology, Graz University of Technology, University of Pennsylvania and the University of Maryland, Rambus, and University of Adelaide and Data61, all discovered critical flaws in a method used by most modern processors for performance optimization that could allow an attacker to read sensitive system memory, which could contain passwords, encryption keys, and emails, for example. The vulnerabilities affect CPUs from Intel, AMD, and ARM, according to Google.

The two attacks, called Meltdown and Spectre, can be executed on desktop machines, laptops, mobile devices, and in cloud environments. That means an attacker could steal information from other cloud customers' systems, for example.

Meltdown allows user applications to pilfer information from the operating system memory, as well as secret information of other programs. "If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure," the researchers wrote in an FAQ about the attacks. "Luckily, there are software patches against Meltdown," referring to Linux, Windows, and OS X updates (not all of which are yet available, however).

Most Intel processors since 1995 are affected by Meltdown, with the exception of Intel Itanium and Intel Atom prior to 2013). Only Intel processors are confirmed to be affected by it so far.

Spectre forces an application to share its secrets, and is a more difficult attack to pull off. According to the researchers, application "safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre." It affects Intel, AMD, and ARM processors on desktops, laptops, cloud servers, and smartphones.

"Both attacks use side channels to obtain the information from the accessed memory location," the researchers said.

The researchers say they don't know if the exploits have been used in the wild.

Google senior security engineer Matt Linton, and technical program manager Pat Parseghian in a blog post today said Google went public with the vulns in advance of the planned January 9 coordinated disclosure date for all affected vendors "because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation."

Microsoft released an emergency patch for Windows late in the evening, after providing this statement in response to the disclosure: "We're aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and are releasing security updates today to protect Windows customers against vulnerabilities affecting supported hardware chips from AMD, ARM, and Intel. We have not received any information to indicate that these vulnerabilities had been used to attack our customers."

Intel earlier in the day issued a statement, noting that it "believes these exploits do not have the potential to corrupt, modify or delete data." The chip vendors said it has been providing software and firmware updates to mitigate the attacks, and reports of peformance degradation won't "be significant" for the average use and "will be mitigated over time."

ARM issued a statement as well, noting that "The majority of Arm processors are not impacted by any variation of this side-channel speculation mechanism."

Amazon also issued a statement: "This is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices. All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours, with associated instance maintenance notifications," Amazon said.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

I am sorry to an extent that I no longer own my trusty clone IBM XT system, that 8088 was indeed secure and back in 1985 malware written for DOS 6.22 was indeed rare. Internet barely exists and I used Compuserve (EasyPlex email) to communicate with the outside world. Inter-system connect was through PROCOMM (ah, there was a good product). Times change and not necessarily for the better.

Asking alot of this community, but there was some really fun stuff for that ancient sys. KINGDOM OF KROZ and variants were wonderful games. The screen MENU programs were delightful in simplicity and I sitll enjoyed old Word Perfect 4.2 as well. How many of us cut our teeth on LOTUS 1-2-3. You could do great stuff on these old platforms.

What I havent' seen explictly in the articles I have read about this is the nature of the programs that can execute this attack. For instance, can viewing a web page execute the attack? Or does it require that an actual EXE be executed on the machine? The reports I have seen so far imply that it an attack would require a program to execute on an affected machine. But it is implied only.

Agree - and many patches are due to be released by damn near everybody so I can see a trend that any software that accesses the processor (define now - everything) can be a source of penetration. What really disturbs me (my 8088 rants aside) is that it has taken YEARS for somebody to notice this one. We now have decade or longer vulnerability ranges which is terrifying.

I read this morning that there is a simple solution here and it is so in theory. REPLACE EVERYTHING. With what i do not know but JUST REPLACE EVERY COMPUTER EVERYWHERE. Remember too we are talking servers, data center machines, peripherals --- just replace. Consider the impact!!!!!! And if you accept this premise --- replace with, eh ---- WHAT precisely????? No new technologies that I have heard of discussed so far. Just PATCH PATCH AND PATCH and be careful out there.

Some Huawei smart phones with the versions before Berlin-L21HNC185B381; the versions before Prague-AL00AC00B223; the versions before Prague-AL00BC00B223; the versions before Prague-AL00CC00B223; the versions before Prague-L31C432B208; the versions before Prague-TL00AC01B223; the versions before Prag...

Huawei 1288H V5 and 288H V5 with software of V100R005C00 have a JSON injection vulnerability. An authenticated, remote attacker can launch a JSON injection to modify the password of administrator. Due to insufficient verification of the input, this could be exploited to obtain the management privile...